What to expect when you’re not expecting (a security breach)

2015 was another difficult year for Cybersecurity practitioners and organizations working to defend themselves against an increasingly innovative, aggressive, and situationally aware set of adversaries. Large breaches made headlines, while many individuals and smaller organizations were victimized by well monetized crimeware[1] (especially ransomware[2]) and various email and other online account compromises.

We see susceptibility to social engineering, unpatched (vulnerable) software, and a lack of executive support for security initiatives rank as our clients’ greatest information security obstacles. Nearly all security professionals we speak to point to organizational challenges, namely the lack of executive buy in as their greatest concern. Spoiler Alert: We wrote this post to try to get more executives engaged.

We often see how surprised (and angry) non-technical business leaders are at the state of their organizations information security posture after a breach or audit. They honestly felt that “someone was taking care of it” and that their security was “good enough.” This gap can only be addressed by executive involvement as most executives will make appropriate security decisions if they have the relevant information and take the necessary time to understand the situation.

While more organizations seem to be recognizing the relationship between resource allocation, management involvement, and security outcomes, the shift seems to be a day late and about $15 million dollars short.[3] (Read the footnote if you think $15 Mil was an arbitrary number.)

In trying to find ways to draw (or drag) more business leaders into the conversation, we’re advocating that all organizations take the time to develop (and/or refine) their incident response playbook. This exercise has value both for the IT security organization as well as the executive team.

Defining roles and responsibilities is important in this process. A scenario-based walk through of a significant breach often highlights skill and technology gaps, hopefully giving the organization a window of time to build an effective incident response capability in advance. The IT security team needs to have a plan on how it will detect, contain, and recover from security failures. The executive team needs to be emotionally, financially, and legally prepared to explain the situation to various stakeholders and defend the organization against a second wave of attacks. Customers, partners, employees, and other parties that may have suffered losses due to the organization’s security failure will likely have some involvement in the post-mortem. This process often plays out in the media as well as the courtroom so all parties need to be prepared to publicly defend their decisions.

If you don’t expect to experience some type of security failure, you’re just not paying attention.

Expecting to suffer a security failure is not defeatist… It’s a sign of intelligence and humility. Some security failures involve a minor inconvenience….. a teachable moment that was promptly contained…. Others escalate into breaches that have catastrophic consequences for your career, your organization, and the public you serve.

Having and setting the right expectations is an important tactic because while some level of failure is inevitable; the scope, cost, and recoverability of that failure can vary greatly. Aligning executive expectations to the realities of the organization’s security posture and incident response capabilities is an effective way to engage them in the process and increase their level of support for IT security initiatives.

Stay safe and feel free to reach out to us with comments on this article or questions about Information Security in general.